subject:"Bug#836586\: unknown external IP in xrdp.log after upgrade\?\!\?"

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-07 Thread Dominik George

Control: forwarded -1 https://github.com/neutrinolabs/xrdp/issues/421

On Mittwoch, 7. September 2016 12:11:31 CEST Dominik George wrote:
> Hang on… this is cool:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=145088=yes
> […]

And another one: https://marc.info/?l=freebsd-sparc64=103347393830063=2

Seems to be a popular issue ;)!

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-07 Thread Dominik George

Hang on… this is cool:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=145088=yes

Date: Mon, 29 Apr 2002 20:33:49 -0300

Package: libsnmp4.2
Version: 4.2.4-2
Severity: important

The new libwrap stuff for agentX simply does not work.

Apr 29 16:33:22 khazad-dum ucd-snmp[13833]: AgentX connection from 
97.114.47.114 REFUSED

Apparently, it is getting random memory as the IP […]


Now, it doesn't appear so random anymore… Apparently, it is the same type of 
bug - why it produces the same address, however, is a mystery to me, but maybe 
it goes out pointing to the same, static memory from libc or something.

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-07 Thread Dominik George

Hi,

OK, I can actually reproduce the issue - but only on jessie, not on sid (it's 
also i386 vs. amd64, maybe).

Reading code and discussing with upstream now.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-07 Thread Christian Pernegger

2016-09-05 11:01 GMT+02:00 Dominik George :
>> Yes, it's connected to the internet, no it's not reachable from
>> outside the LAN (on any port).
>
> Can you please double-check that?

I've a dedicated jessie box on firewall / NAT router duty, no
forwarded ports. I can't rule out a hundred percent that it isn't
compromised, of course, but everything looks fine.

> Please also grep in your log files and in /etc for this IP address. Does it
> also show up anywhere else?

No. Just in /var/log/xrdp.log (and identically in /var/log/daemon.log)

> I doubt either. The first because what you see is a *client* address
> connecting to xrdp on your host

Strictly speaking, that's not correct. I only ever get
*disconnections* from that address.

> the second because the IP address is taken directly
> from the socket structur,

All it takes is one stupid typo.

Looking at xrdp.log and xrdp-sesman.log, there's only ever connections
from "0.0.0.0:port"; and disconnections from "0.0.0.0:port",
"97.114.47.114:port" and "NULL:NULL". I'd expect my workstation's
192.168.0.0/24 address and 127.0.0.1 to show up, they don't.

> can you actually reproduce the issue?

This is a (commented) tail -f over both logs. It does change a bit for
reconnections but in principle it's always the same.

# try to connect from 192.168.0.35
==> xrdp.log <==
[20160907-11:46:58] [INFO ] A connection received from: 0.0.0.0 port 53773
[20160907-11:46:58] [INFO ] An established connection closed to
endpoint: 0.0.0.0:53773 - socket: 11
[20160907-11:46:58] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 10
[20160907-11:46:58] [CORE ] WARNING: Invalid x.509 certificate path
defined, default path will be used: /etc/xrdp/cert.pem
[20160907-11:46:58] [WARN ] Invalid X.509 certificate path defined,
default path will be used: /etc/xrdp/key.pem
[20160907-11:46:58] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 11
[20160907-11:46:58] [INFO ] A connection received from: 0.0.0.0 port 53774
[20160907-11:46:58] [ERROR] Listening socket is in wrong state we
terminate listener
[20160907-11:46:58] [INFO ] An established connection closed to
endpoint: 0.0.0.0:53774 - socket: 11
[20160907-11:46:58] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 10
[20160907-11:46:59] [CORE ] WARNING: Invalid x.509 certificate path
defined, default path will be used: /etc/xrdp/cert.pem
[20160907-11:46:59] [WARN ] Invalid X.509 certificate path defined,
default path will be used: /etc/xrdp/key.pem
[20160907-11:46:59] [DEBUG] xrdp_0f24_wm_login_mode_event_0001
[20160907-11:46:59] [WARN ] local keymap file for 0xac07 found and
doesn't match built in keymap, using local keymap file

==> xrdp-sesman.log <==
[20160907-11:47:08] [INFO ] A connection received from: 0.0.0.0 port 58234

==> xrdp.log <==
[20160907-11:47:09] [DEBUG] return value from xrdp_mm_connect 0

==> xrdp-sesman.log <==
[20160907-11:47:09] [INFO ] ++ created session (access granted):
username chris, ip 0.0.0.0:53774 - socket: 11
[20160907-11:47:09] [INFO ] starting Xorg session...
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 9
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 9
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 9
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: 0.0.0.0:58234 - socket: 8
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 393221
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 8
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 7
[20160907-11:47:09] [INFO ] Xorg :10 -config xrdp/xorg.conf -noreset
-ac -nolisten tcp -retro
[20160907-11:47:09] [INFO ] starting xrdp-sessvc - xpid=3880 - wmpid=3879

==> xrdp.log <==
[20160907-11:47:09] [INFO ] lib_mod_log_peer: xrdp_pid=3876 connected
to X11rdp_pid=3880 X11rdp_uid=1000 X11rdp_gid=1000 client_ip=
client_port=
[20160907-11:47:09] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful
[20160907-11:47:09] [INFO ] An established connection closed to
endpoint: 0.0.0.0:3350 - socket: 22
[20160907-11:47:09] [INFO ] The following channel is allowed: rdpdr (0)
[20160907-11:47:09] [INFO ] The following channel is allowed: rdpsnd (1)
[20160907-11:47:09] [INFO ] The following channel is allowed: cliprdr (2)
[20160907-11:47:10] [INFO ] The following channel is allowed: drdynvc (3)
[20160907-11:47:10] [DEBUG] The allow channel list now initialized for
this session
# at this point I'm logged in and staring at an empty teal background,
but that's a different problem


# close down the session
[20160907-11:48:00] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 11
[20160907-11:48:00] [DEBUG] xrdp_mm_module_cleanup
[20160907-11:48:00] [INFO

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-05 Thread Dominik George

Hi,

> > Are you sure this is in fact the one connection you are closing?
> 
> I don't see what else it could be, certainly nothing legitimate. The
> only access to the box was me testing xrdp, running a tail -f
> alongside.

OK.

> 
> > Is the system connected to the internet (and reachable from there on the
> > RDP port)?
> 
> Yes, it's connected to the internet, no it's not reachable from
> outside the LAN (on any port).

Can you please double-check that?

Please also grep in your log files and in /etc for this IP address. Does it 
also show up anywhere else?

> 
> > Removing the security tag as I do not see how IP based connections from
> > somewhere to your host could be a security bug in xrdp.
> 
> Well, either xrdp is "phoning home" (worrying, but unlikely) or the
> displayed IP address is bogus (parsing error, an off pointer ...) --
> both are potentially security relevant.

I doubt either. The first because what you see is a *client* address 
connecting to xrdp on your host - so even *if* it were a reaction to some 
phoning home, it would still involve your system being reachable from the 
internet, which you deny; the second because the IP address is taken directly 
from the socket structur, so if there were a bug, it would be in libc and this 
would not be the only reference to it ;).

If the address shows aup nowhere else and you are absolutely positive it 
cannot be background noise from the internet, then we will have to wait for 
someone else hitting this bug, or collect more information, e.g. do a tcpdump 
on your system while it occurs (speaking of that - can you actually reproduce 
the issue?).

Cheers,
Nik


-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-05 Thread Christian Pernegger

> Are you sure this is in fact the one connection you are closing?

I don't see what else it could be, certainly nothing legitimate. The
only access to the box was me testing xrdp, running a tail -f
alongside.

> Is the system connected to the internet (and reachable from there on the RDP
> port)?

Yes, it's connected to the internet, no it's not reachable from
outside the LAN (on any port).

> Removing the security tag as I do not see how IP based connections from
> somewhere to your host could be a security bug in xrdp.

Well, either xrdp is "phoning home" (worrying, but unlikely) or the
displayed IP address is bogus (parsing error, an off pointer ...) --
both are potentially security relevant.

Cheers,
C.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-04 Thread Dominik George

Control: tag -1 + moreinfo
Control: tag -1 - security

Hi,

> [20160904-11:25:17] [INFO ] An established connection closed to
> endpoint: NULL:NULL - socket: 11
> [20160904-11:25:17] [DEBUG] xrdp_mm_module_cleanup
> [20160904-11:25:17] [INFO ] An established connection closed to
> endpoint: 97.114.47.114:12150 - socket: 23
> [20160904-11:25:17] [INFO ] An established connection closed to
> endpoint: 97.114.47.114:12150 - socket: 24
> [20160904-11:25:18] [ERROR] Listening socket is in wrong state we
> terminate listener
> 
> 
> (That's on closing one of these "blank" sessions.). I'm not in the US
> and all connections to xrdp are strictly LAN-only (192.168.0.0/24)
> anyway, so what's an US address doing in there?

Are you sure this is in fact the one connection you are closing?

Couldn't it just be coincidence?

Is the system connected to the internet (and reachable from there on the RDP 
port)?

Removing the security tag as I do not see how IP based connections from 
somewhere to your host could be a security bug in xrdp.

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-1520-1981389

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

2016-09-04 Thread Christian Pernegger

Package: xrdp
Version: 0.9.0~20160601+git703fedd-3
Tags: security

Hi,

while trying to debug why xrdp has stopped working here after the
upgrade to 0.9 -- login works fine but dumps one in front of an empty
solid teal screen instead of the expected MATE session --, I stumbled
across the following in xrdp.log:

[20160904-11:25:17] [INFO ] An established connection closed to
endpoint: NULL:NULL - socket: 11
[20160904-11:25:17] [DEBUG] xrdp_mm_module_cleanup
[20160904-11:25:17] [INFO ] An established connection closed to
endpoint: 97.114.47.114:12150 - socket: 23
[20160904-11:25:17] [INFO ] An established connection closed to
endpoint: 97.114.47.114:12150 - socket: 24
[20160904-11:25:18] [ERROR] Listening socket is in wrong state we
terminate listener


(That's on closing one of these "blank" sessions.). I'm not in the US
and all connections to xrdp are strictly LAN-only (192.168.0.0/24)
anyway, so what's an US address doing in there?

Cheers,
Christian

P.S.: Once reportbug is working again, I can do a follow-up with the
full template info.

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

Bug#836586: unknown external IP in xrdp.log after upgrade?!?

8 matches

Site Navigation

Mail list logo

Footer information